data/reports: add GO-2023-2394.yaml
Aliases: CVE-2023-50463, GHSA-rxg9-hgq7-8pwx
Fixes golang/vulndb#2394
Change-Id: Ibe2237125719d2b90551a8c1e5b409804a97b4b2
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/551916
Reviewed-by: Jonathan Amsterdam <jba@google.com>
Reviewed-by: Tim King <taking@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
diff --git a/data/osv/GO-2023-2394.json b/data/osv/GO-2023-2394.json
new file mode 100644
index 0000000..3c8196f
--- /dev/null
+++ b/data/osv/GO-2023-2394.json
@@ -0,0 +1,50 @@
+{
+ "schema_version": "1.3.1",
+ "id": "GO-2023-2394",
+ "modified": "0001-01-01T00:00:00Z",
+ "published": "0001-01-01T00:00:00Z",
+ "aliases": [
+ "CVE-2023-50463",
+ "GHSA-rxg9-hgq7-8pwx"
+ ],
+ "summary": "Spoofed source IP address in github.com/shift72/caddy-geo-ip",
+ "details": "The caddy-geo-ip (aka GeoIP) middleware for Caddy 2 allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).",
+ "affected": [
+ {
+ "package": {
+ "name": "github.com/shift72/caddy-geo-ip",
+ "ecosystem": "Go"
+ },
+ "ranges": [
+ {
+ "type": "SEMVER",
+ "events": [
+ {
+ "introduced": "0"
+ }
+ ]
+ }
+ ],
+ "ecosystem_specific": {
+ "imports": [
+ {
+ "path": "github.com/shift72/caddy-geo-ip"
+ }
+ ]
+ }
+ }
+ ],
+ "references": [
+ {
+ "type": "ADVISORY",
+ "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50463"
+ },
+ {
+ "type": "REPORT",
+ "url": "https://github.com/shift72/caddy-geo-ip/issues/4"
+ }
+ ],
+ "database_specific": {
+ "url": "https://pkg.go.dev/vuln/GO-2023-2394"
+ }
+}
\ No newline at end of file
diff --git a/data/reports/GO-2023-2394.yaml b/data/reports/GO-2023-2394.yaml
new file mode 100644
index 0000000..2dc1078
--- /dev/null
+++ b/data/reports/GO-2023-2394.yaml
@@ -0,0 +1,20 @@
+id: GO-2023-2394
+modules:
+ - module: github.com/shift72/caddy-geo-ip
+ vulnerable_at: 0.6.0
+ packages:
+ - package: github.com/shift72/caddy-geo-ip
+ skip_fix: Relies on quic-go which doesn't build on Go 1.18.
+summary: Spoofed source IP address in github.com/shift72/caddy-geo-ip
+description: |-
+ The caddy-geo-ip (aka GeoIP) middleware for Caddy 2 allows attackers to spoof
+ their source IP address via an X-Forwarded-For header, which may bypass a
+ protection mechanism (trusted_proxy directive in reverse_proxy or IP address
+ range restrictions).
+cves:
+ - CVE-2023-50463
+ghsas:
+ - GHSA-rxg9-hgq7-8pwx
+references:
+ - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-50463
+ - report: https://github.com/shift72/caddy-geo-ip/issues/4